Framework/Configurations/SVT/AzureDevOps/AzureDevOps.Organization.json
{
"FeatureName": "Organization", "Reference": "aka.ms/azsktcp/Organization", "IsMaintenanceMode": false, "Controls": [ { "ControlID": "AzureDevOps_Organization_AuthN_Use_AAD_Auth", "Description": "Organization must be configured to authenticate users using Azure Active Directory backed credentials.", "Id": "Organization110", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckAADConfiguration", "Rationale": "Using the native enterprise directory for authentication ensures that there is a built-in high level of assurance in the user identity established for subsequent access control.All Enterprise subscriptions are automatically associated with their enterprise directory (xxx.onmicrosoft.com) and users in the native directory are trusted for authentication to enterprise subscriptions.", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/devops/organizations/accounts/connect-organization-to-azure-ad?view=azure-devops#connect-your-organization-to-azure-ad", "Tags": [ "SDL", "TCP", "Automated", "AuthN" ], "Enabled": true }, { "ControlID": "AzureDevOps_Organization_AuthN_Disable_External_Guest_Users", "Description": "Do not grant access to external users (users with accounts outside your native directory) to your organization.", "Id": "Organization120", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckExternalUserPolicy", "Rationale": "Non-AD accounts (such as xyz@hotmail.com, pqr@outlook.com, etc.) present at any scope within a organization subject your assets to undue risk. These accounts are not managed to the same standards as enterprise tenant identities. They don't have multi-factor authentication enabled.", "Recommendation": "Go to Organization Settings --> Security --> Policies --> User Policies --> Turn 'Off' external guest access", "Tags": [ "SDL", "TCP", "Automated", "AuthN" ], "Enabled": true }, { "ControlID": "AzureDevOps_Organization_DP_Dont_Allow_Public_Projects", "Description": "Public projects must be turned off for Organization", "Id": "Organization130", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckPublicProjectPolicy", "Rationale": "Data/content in projects that have anonymous access can be downloaded by anyone on the internet without authentication. This can lead to a compromise of corporate data. ", "Recommendation": "Go to Organization Settings --> Security --> Policies --> Security Policies --> Turn 'Off' allow public projects", "Tags": [ "SDL", "TCP", "Automated", "DP" ], "Enabled": true }, { "ControlID": "AzureDevOps_Organization_AuthZ_Justify_Guest_Identities", "Description": "Justify all guest identities that have been granted access to your organization.", "Id": "Organization140", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckGuestIdentities", "Rationale": "Non-AD accounts (such as xyz@hotmail.com, pqr@outlook.com, etc.) present at any scope within a Organization subject your cloud assets to undue risk. These accounts are not managed to the same standards as enterprise tenant identities. They don't have multi-factor authentication enabled. Etc.", "Recommendation": "Go to Organization Settings --> Users --> Apply Guest filter under 'AAD User Type' filter --> Validate and remove all unintended guest users present.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "AzureDevOps_Organization_SI_Review_Installed_Extensions", "Description": "Ensure that extensions enabled for your organization are trustworthy.", "Id": "Organization150", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "ValidateInstalledExtensions", "Rationale": "Running extensions from untrusted source can lead to all type of attacks and loss of sensitive enterprise data.", "Recommendation": "Go to Organization Settings --> Extensions --> Review all installed extensions in Organization.", "Tags": [ "SDL", "TCP", "Automated", "SI" ], "Enabled": true }, { "ControlID": "AzureDevOps_Organization_SI_Review_Shared_Extensions", "Description": "Exercise due care when installing (private) shared extensions for your organization", "Id": "Organization160", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "ValidateSharedExtensions", "Rationale": "Running extensions from untrusted source can lead to all type of attacks and loss of sensitive enterprise data.", "Recommendation": "Go to Organization Settings --> Extensions --> Review all shared extensions in Organization.", "Tags": [ "SDL", "TCP", "Automated", "SI" ], "Enabled": true }, { "ControlID": "AzureDevOps_Organization_AuthZ_Review_Extension_Managers", "Description": "Review the list of users who have permission to manage extensions", "Id": "Organization170", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckExtensionManagers", "Rationale": "Accounts with extension manager access can install/manage extensions for Organization. Members with this access without a legitimate business reason increase the risk for Organization. By carefully reviewing and removing accounts that shouldn't be there in the first place, you can avoid attacks if those accounts are compromised.", "Recommendation": "Go to Organization Settings --> Extensions --> Security --> Review indentities with manager role assigned.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "AzureDevOps_Organization_SI_Review_Inactive_Users", "Description": "Consider revoking access for inactive users", "Id": "Organization180", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckInActiveUsers", "Rationale": "Each additional person having access at Organization level increases the attack surface for the entire resources. To minimize this risk ensure that critical resources present in Organization are accessed only by the legitimate users when required.", "Recommendation": "Go to Organization Settings --> Users --> Filter last access column with never accessed users or not accessed over long period", "Tags": [ "SDL", "TCP", "Automated", "SI" ], "Enabled": true }, { "ControlID": "AzureDevOps_Organization_AuthZ_Deleted_AD_DisconnectedUser_Access", "Description": "Remove access entries for users whose accounts have been deleted/disconnected from Azure Active Directory.", "Id": "Organization190", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckDisconnectedIdentities", "Rationale": "AD disconnected accounts present at any scope within a Organization are unknown guid access.", "Recommendation": "Go to Organization Settings --> Azure Active Directory --> It will have notification for disconnected users on AD --> Click on Resolve", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "AzureDevOps_Organization_AuthZ_Min_RBAC_Access", "Description": "All teams/groups must be granted minimum required permissions on Organization", "Id": "Organization200", "ControlSeverity": "High", "Automated": "No", "MethodName": "CheckRBACAccess", "Rationale": "Granting minimum access by leveraging RBAC feature ensures that users are granted just enough permissions to perform their tasks. This minimizes exposure of the resources in case of user/service account compromise.", "Recommendation": "Go to Organization Settings --> Permissions --> Select team/group --> Validate Permissions", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "AzureDevOps_Organization_AuthZ_Review_Group_Members", "Description": "Justify all identities that are granted with member access on groups and teams.", "Id": "Organization210", "ControlSeverity": "High", "Automated": "No", "MethodName": "JustifyGroupMember", "Rationale": "Accounts that are a member of these groups without a legitimate business reason increase the risk for your Organization. By carefully reviewing and removing accounts that shouldn't be there in the first place, you can avoid attacks if those accounts are compromised.", "Recommendation": "Go to Organization Settings --> Permissions --> Groups --> Validate members of each group", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "AzureDevOps_Organization_Audit_Configure_Critical_Alerts", "Description": "Alerts must be configured for critical actions on Organization", "Id": "Organization220", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Alerts notify the configured security point of contact about various sensitive activities on the Organization and its resources (for instance, external Extensions have been installed/modified etc.)", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/devops/notifications/concepts-events-and-notifications?view=vsts", "Tags": [ "SDL", "TCP", "Manual", "Audit" ], "Enabled": true }, { "ControlID": "AzureDevOps_Organization_AuthZ_Dont_Use_SVC_Accounts_No_MFA", "Description": "Service accounts cannot support MFA and should not be used for Org activity", "Id": "Organization230", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "Service accounts are typically not multi-factor authentication capable. Quite often, teams who own these accounts don't exercise due care (e.g., someone may login interactively on servers using a service account exposing their credentials to attacks such as pass-the-hash, phishing, etc.) As a result, using service accounts in any privileged role in a AzureDevOps exposes the Organization data to 'credential theft'-related attack vectors. (In effect, the Organization data becomes accessible after just one factor (password) is compromised...this defeats the whole purpose of imposing the MFA requirement for Organizations.)", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/devops/notifications/concepts-events-and-notifications?view=vsts", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "AzureDevOps_Organization_AuthZ_Use_SC-ALT_Accounts", "Description": " Smart Card Alt(SC-ALT) accounts must be used on Secure Admin Workstation(SAW) for privileged roles used for Org activity", "Id": "Organization240", "ControlSeverity": "High", "Automated": "No", "MethodName": "", "Rationale": "<TODO>", "Recommendation": "Refer: https://docs.microsoft.com/en-us/azure/devops/notifications/concepts-events-and-notifications?view=vsts", "Tags": [ "SDL", "TCP", "Manual", "AuthZ" ], "Enabled": true }, { "ControlID": "AzureDevOps_Organization_AuthZ_Review_Project_Collection_Service_Accounts", "Description": "Minimize and reviews service accounts that are members of the Project Collection Service Accounts group.", "Id": "Organization250", "ControlSeverity": "High", "Automated": "Yes", "MethodName": "CheckProCollSerAcc", "Rationale": "ADO has a misleading group called Project Collection Service Accounts. By inheritance, Project Collection Service Accounts are also Project Collection Administrators. It is found that multiple build agent user accounts across Microsoft were members of Project Collection Service Accounts. An adversary that executes code in a pipeline assigned to one of these build agents can take over the entire ADO organization", "Recommendation": "Go to Organization Settings --> Security --> Permissions --> Project Collection Service Accounts --> Validate all the members.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "AzureDevOps_Organization_AuthN_Enable_App_Access_OAuth", "Description": "OAuth should be enabled for third party application access", "Id": "Organization260", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckOAuthAppAccess", "Rationale": "TBD", "Recommendation": "Go to Organization Settings --> Security --> Policies --> Application connection policies --> Enable Third-party application access via OAuth", "Tags": [ "SDL", "TCP", "Automated", "AuthN" ], "Enabled": true }, { "ControlID": "AzureDevOps_Organization_SI_Review_Auto_Injected_Extensions", "Description": "Set of auto-injected pipeline tasks should be carefully scrutinized.", "Id": "Organization270", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "AutoInjectedExtension", "Rationale": "Auto-injected pipeline tasks will run in every pipeline. If an attacker can change/influence the task logic/code, it can have catastrophic consequences for the entire organization.", "Recommendation": "Go to Organization Settings --> Extensions -> Verify the auto-injected extensions.", "Tags": [ "SDL", "TCP", "Automated", "SI" ], "Enabled": true }, { "ControlID": "AzureDevOps_Organization_AuthN_Enable_SSH_Auth", "Description": "SSH authentication should be enabled for Application connection policies", "Id": "Organization280", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckSSHAuthn", "Rationale": "TBD", "Recommendation": "Go to Organization Settings --> Security --> Policies --> Application connection policies --> Enable SSH Authentication", "Tags": [ "SDL", "TCP", "Automated", "AuthN" ], "Enabled": true }, { "ControlID": "AzureDevOps_Organization_AuthZ_Verify_Enterprise_Access_To_Projects", "Description": "Enterprise access to projects should be verified.", "Id": "Organization290", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckEnterpriseAccess", "Rationale": "TBD", "Recommendation": "Go to Organization Settings --> Security --> Policies --> Security policies --> Disable Enterprise access to projects", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "AzureDevOps_Organization_AuthZ_Enable_AAD_Conditional_Access_Policy", "Description": "AAD Conditional Access Policy should be enabled.", "Id": "Organization300", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckCAP", "Rationale": "TBD", "Recommendation": "Go to Organization Settings --> Security --> Policies --> Security policies --> Enable Azure Active Directory Conditional Access Policy Validation.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "AzureDevOps_Organization_DP_Disable_Anonymous_Access_To_Badges", "Description": "Anonymous access to status badge API for parallel pipelines should be disabled.", "Id": "Organization310", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckBadgeAnonAccess", "Rationale": "TBD", "Recommendation": "Go to Organization Settings --> Pipelines --> Settings --> Enable 'Disable anonymous access to badges'.", "Tags": [ "SDL", "TCP", "Automated", "DP" ], "Enabled": true }, { "ControlID": "AzureDevOps_Organization_SI_Limit_Variables_Settable_At_Queue_Time", "Description": "Only those variables explicitly marked settable at queue time can be set.", "Id": "Organization320", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckSetQueueTime", "Rationale": "TBD", "Recommendation": "Go to Organization Settings --> Pipelines --> Settings --> Enable 'Limit variables that can be set at queue time.'.", "Tags": [ "SDL", "TCP", "Automated", "SI" ], "Enabled": true }, { "ControlID": "AzureDevOps_Organization_AuthZ_Limit_Job_Authorization_Scope_To_Current_Project", "Description": "Scope of access of all pipelines should be restricted to current project.", "Id": "Organization330", "ControlSeverity": "Medium", "Automated": "Yes", "MethodName": "CheckJobAuthnScope", "Rationale": "This ensures pipeline execution happens using a token scoped to the current project abiding with principle of least privilege.", "Recommendation": "Go to Organization Settings --> Pipelines --> Settings --> Enable 'Limit job authorization scope to current project.'.", "Tags": [ "SDL", "TCP", "Automated", "AuthZ" ], "Enabled": true }, { "ControlID": "AzureDevOps_Organization_Auditing_Backup", "Description": "Audit logs are stored for 90 days and then they’re deleted. Back up audit logs to an external location to keep the data for longer than the 90-day period.", "Id": "Organization340", "ControlSeverity": "Medium", "Automated": "No", "MethodName": "", "Rationale": "Auditing contains many changes that occur throughout an Azure DevOps organization. Changes occur when a user or service identity within the organization edits the state of an artifact. In some limited cases, it can also include accessing an artifact. Think permissions changes, resource deletion, branch policy changes, accessing the auditing feature, and much more.", "Recommendation": "Go to Organization Settings --> Auditing --> Download", "Tags": [ "SDL", "TCP", "Manual", "Audit" ], "Enabled": true } ] } |